US20060236369A1 - Method, apparatus and system for enforcing access control policies using contextual attributes - Google Patents
Method, apparatus and system for enforcing access control policies using contextual attributes Download PDFInfo
- Publication number
- US20060236369A1 US20060236369A1 US11/317,879 US31787905A US2006236369A1 US 20060236369 A1 US20060236369 A1 US 20060236369A1 US 31787905 A US31787905 A US 31787905A US 2006236369 A1 US2006236369 A1 US 2006236369A1
- Authority
- US
- United States
- Prior art keywords
- request
- contextual attributes
- access
- information
- contextual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Abandoned
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3271—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using challenge-response
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3234—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving additional secure or trusted devices, e.g. TPM, smartcard, USB or software token
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2111—Location-sensitive, e.g. geographical location, GPS
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/56—Financial cryptography, e.g. electronic payment or e-cash
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/60—Digital content management, e.g. content distribution
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
- H04L63/0421—Anonymous communication, i.e. the party's identifiers are hidden from the other party or parties, e.g. using an anonymizer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/63—Location-dependent; Proximity-dependent
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/65—Environment-dependent, e.g. using captured environmental data
Definitions
- the present invention relates generally to computer security and, more specifically, to enforcing access control policies based on contextual attributes rather than relying solely on user identity information.
- Authentication is a fundamental building block in any system that enforces a security policy; it enables users to identify themselves to the system and provides a basis for access control. All authentication schemes follow the same basic approach: known identification information about a user is compared with information received from a source claiming to be that user. Authentication is successful if both pieces of information match. However, authentication failure will result if a match cannot be produced.
- the traditional approach to authentication implies that users must present identity information. However, there are situations in which verification of specific user identity information is neither practical nor appropriate. For example, a wireless Internet service provider (ISP) may care about a user's location (e.g., the user is physically seated in a WiFi-enabled restaurant) and not his or her specific user identity. Further, the traditional approach to authentication reveals user privacy information, which may not be necessary to get authenticated in some scenarios.
- ISP Internet service provider
- FIG. 1 is a diagram of example data flows between a client device and a service provider using contextual attributes according to an embodiment of the present invention
- FIG. 2 is a diagram of an example authentication system using contextual attributes according to an embodiment of the present invention
- FIG. 3 is a diagram of an example access control system using contextual attributes according to an embodiment of the present invention.
- FIG. 4 is a flow diagram illustrating authentication processing using contextual attributes
- FIG. 5 is a flow diagram illustrating access control using contextual attributes according to an embodiment of the present invention.
- contextual information may be utilized to perform authentication and determine authorization.
- authentication may include any process by which a user is verified (i.e., verifying that someone is who they claim they are), including the use of a username and a password, but may include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints.
- authorization includes the process of determining if an individual, once identified, is permitted to have access to the resource.
- the process of authorization also referred to as access control, is typically implemented by determining if the individual has been granted explicit rights to access a resource, if the individual is a part of a particular group that has rights to a resource.
- the terms “authorization” and “access control” may be used interchangeably in the present specification.
- Embodiments of the present invention take advantage of contextual information associated with users and their operating environment (e.g., resources and/or transactions requested). Given the abundance of information available to describe these users and their operating environment, there are certain scenarios in which contextual information may be more relevant than the user's unique identity for purposes of authentication and access control.
- Authentication and/or access control based solely on a user's contextual information according to embodiments of the present invention provides at least two benefits over existing usage models. First, user privacy is protected since embodiments of the present invention do not require the user to reveal personal identity information. Second, service providers benefit from reduced overhead due to simplified authentication and access control policy management.
- Embodiments of the present invention comprise schemes to achieve authentication and enforce access control without requiring specific identity information from the user. Instead of identifying the user, the context in which the user makes the request is determined.
- Context includes the physical environment at issue (e.g., ambient noise level, brightness, air temperature, atmospheric pressure, time, etc.), attributes relevant to a pending transaction that the user is involved in (e.g., an electronic receipt), and non-unique attributes about the user (e.g., the user's current location).
- the contextual attributes may be associated with the user making the access request (subject of the request), the resource being accessed (the object of the request) and/or the requested transaction itself. Additionally, various types of contextual attributes may be utilized, including identification attributes, implicit attributes and/or explicit attributes and any reference herein to “contextual attributes” shall include at least these types of attributes.
- identification attributes may refer to attributes that uniquely identify the subject or object (e.g., a username “Bob” or object reference “filename.txt”)
- implicit attributes may be non-unique attributes that may be assigned to the user or object (e.g., location, badge type)
- explicit attributes may be unique transaction-specific attributes that may be collected or observed by the subject or object (e.g., tokens such as an e-receipt or a capability that is maintained by the user).
- a public establishment 101 such as a coffee shop, for example, has partnered with a premium content Internet service provider 102 to provide access (perhaps for free) to premium content to customers who have made a purchase and remain physically located in the coffee shop.
- the establishment and the service provider are separate entities and are not co-located.
- a customer denoted “user” hereinafter
- the user enters the coffee shop and uses some form of electronic cash stored in a mobile computing device operated by the user to purchase an item for sale, such as coffee for example.
- the mobile computing device may be any client device 104 used for computing or telecommunication, such as a portable computer, personal digital assistant (PDA), cellular telephone, or messaging device, for example.
- client device 104 interacts with public establishment equipment 101 to engage in a transaction or communication.
- the client device interacts with an electronic cash register operated by the establishment to make a purchase.
- the user makes the purchase by communicating data representing electronic cash 106 from the client device 104 to the establishment 101 .
- the client device receives an electronic receipt 108 from the establishment indicating proof of purchase.
- the electronic receipt comprises a set of data (purchase information) representing the transaction (e.g., one or more of date, time, purchase amount, items purchased and so on) that may be stored in the client device.
- the purchase information may comprise data regarding any purchase by the user and/or the client device of at least one of goods and services from the establishment.
- a purchase may not be required and the establishment may provide an electronic token instead of an electronic receipt to the client device.
- the client device may provide the current geographic location of the client device and the electronic receipt (collectively denoted 110 in FIG. 1 ) to the service provider equipment.
- the combination of the current location within the premises of the establishment and the electronic receipt may comprise sufficient information to authenticate the user to the premium content service provider.
- the service provider 102 enables access to premium content 112 for the client device.
- the premium content may be an audio stream or file (e.g., current hit songs), an audio-video stream or file (e.g., music videos, movie clips, television programs, etc.), selected web pages, or other valuable information.
- the geographic location of the client device and possession of an electronic receipt are the contextual attributes required for the user's authentication to the premium content service provider.
- No other information such as a user name and password, or other identity information, is required to authenticate the user and allow access to the premium content.
- FIG. 2 is a diagram of an example authentication system using contextual attributes according to an embodiment of the present invention.
- a service provider 102 comprises at least a computer server system including an authentication module 200 implemented in one or more of software, firmware, and hardware.
- the authentication module reviews policies determining access and usage of premium content available from the service provider and provides the client device 104 with a challenge that must be met in order to achieve authentication.
- the client device sends an answer to the challenge that may be authenticated by the authentication module of the service provider. If the answer is acceptable according to the policy, access to premium content may be granted.
- the service provider may communicate with the client device over a network 202 .
- the network is the Internet, and the communication between the service provider and the client device takes place wirelessly according to any one of several well-known wireless protocols. In other embodiments, other networks may be used.
- Service provider 102 includes other well-known components omitted from FIG. 2 for clarity.
- an attribute management module 204 interacts with the authentication module 200 to provide necessary information to the service provider in order to be given access to the premium content or authenticated for other purposes.
- the attribute management module may be implemented in one or more of software, firmware, and hardware.
- the attribute management module collects and manages trusted contextual attributes of the client device. The contextual attributes should be protected on the client device to deter unauthorized changes to the attributes in order to obtain benefits or access to content.
- the attribute management module 204 communicates with a trusted platform module (TPM) 206 residing on the client device.
- TPM trusted platform module
- the TPM provides a foundation for trust and contains at least one or more of cryptographic keys 208 , protected secrets 210 , and secure location data 212 .
- Secure location data may be obtained by location unit 214 .
- the secure location data may comprise global positioning service (GPS) data and the GPS data may be obtained from a GPS receiver functioning as the location unit residing on the client device.
- GPS global positioning service
- the location unit comprises a GPS receiver
- the GPS receiver operates according to well-known methods to determine a geographic location. In other embodiments, other well known methods of determining location of the client device by the location unit may be used.
- the TPM protects the data stored therein from attempts to gain unauthorized access according to well-known methods as described in relevant specifications of the Trusted Computing Group (TCG).
- the attribute management module 204 collects contextual attributes (such as protected secrets 210 , and current geographic location information (secure location data 212 )), and may have the contextual attributes digitally signed by an attestation identity key (AIK), which may be one of the cryptographic keys 208 securely stored in the TPM.
- Client device 104 includes other well-known components omitted from FIG. 2 for clarity.
- FIG. 3 is a diagram of an example access control system using contextual attributes according to an embodiment of the present invention.
- this system may be implemented together with an authentication system as described above.
- an access control system according to an embodiment of the present invention may be implemented with other authentication schemes that do not utilize contextual attributes. While the latter access control system may lack some of the benefits provided by the authentication scheme that utilizes contextual attributes, it may nonetheless provide significant flexibility to a service provider by eliminating the need for users' personal information.
- FIG. 3 includes all components of FIG. 2 and an access control component 300 .
- Access control component 300 may comprise various sub-components, including a resource manager 302 and a policy database 304 .
- the request may be passed to access control component 300 .
- the request may include the contextual attributes previously collected (by attribute management module 204 or a comparable module).
- access control component 300 may utilize the contextual attributes to enforce access control, i.e., to provide authorization to a request.
- resource manager 302 may examine the contextual attributes.
- the contextual attributes may be associated with the user making the access request (subject of the request), the resource being accessed (the object of the request) and/or the requested transaction itself.
- the client request may include a “tuple” comprising the object, subject and/or the requested transaction.
- Resource manager 302 may utilize the contextual attributes to query policy database 304 , to determine whether authorization is to be allowed. If policy database 304 determines that the incoming request matches an “allowed” policy statement, access to protected resource 306 is granted.
- policy database 304 determines that the incoming request matches an “allowed” policy statement, access to protected resource 306 is granted.
- protected resource 306 may reside in a variety of locations without impacting embodiments of the present invention. Thus, in one embodiment, protected resource 306 may reside on a device at service provider 102 . More likely, however, is an embodiment in which protected resource 306 resides at a remote location on Network 202 .
- embodiments of the present invention provide various advantages over current access control models. Most importantly, embodiments of the invention are uniquely suited to dynamic computing environments, as compared to existing access control models that typically utilize static concepts (user identities, object names, subject roles, etc.). Additionally, by utilizing contextual attributes, embodiments of the invention provide for less administrative overhead for defining and managing access policies. As illustrated in the example policy statement above, service providers may define intricate policies applicable to large groups of users because higher level policy may more easily be mapped into lower level system rules using contextual attributes. These policy statements enable the service providers significant flexibility because the providers are not limited to using pre-defined entities in policy specifications, therefore requiring less management overhead.
- Embodiments of the invention also enhance service providers' ability to protect user privacy by using contextual attributes instead of personal identity information. They additionally enable new business models by providing companies with increased flexibility to provide services and/or rewards. Thus, for example, as previously described in the background, in a WiFi-enabled restaurant that currently partners with an ISP to offer free wireless internet to paying customers, all customers typically get the same default level of service. According to embodiments of the present invention, however, the ISP would have the flexibility of easily defining rich, fine-grained access control policies that provide different levels of access based on contextual attributes. For example, different levels of services may be provided based on the purchase amounts, frequency of purchases or visits to the establishment, etc.
- FIG. 4 is a flow diagram illustrating authentication processing using contextual attributes according to an embodiment of the present invention.
- a user may be operating a wireless communication enabled client device within the wireless range of a service provider's establishment. While there, the attribute management module 204 of the client device may securely obtain and store contextual attributes at block 300 .
- the contextual attributes may comprise many different items of information about the current environment of the client device.
- contextual information may include one or more of geographic location, air temperature at that geographic location, user purchase information, ambient noise level at the location, brightness of the environment at the location, current weather conditions other than temperature such as atmospheric pressure, velocity of movement of the client device, current processing load of the processing unit of the client device, available battery power of the client device, and current communications load between client devices and the service provider.
- the contextual attributes may comprise data not explicitly generated by the user.
- additional components or circuitry may be included in the client device (e.g., a location unit such as a GPS receiver, for example, for determining geographic location, a microphone for capturing ambient noise level, a camera for obtaining brightness, a thermometer for determining temperature, a barometer for determining pressure, and so on).
- the contextual attributes may be stored by the attribute management module in the TPM 206 to deter tampering with the data.
- the activity of obtaining and storing contextual attributes may be continuously performed by the client device regardless of its current operating mode, may be performed periodically according to a schedule, or may in some embodiments be performed at the explicit direction of the user.
- the client device may request access to the premium content from the service provider. In one embodiment, this may involve sending a communications packet wirelessly from the client device to the service provider using well-known techniques. Alternatively, the client device may sense a signal offering service from the service provider once the client device is brought within range of the service provider's signal.
- the service provider upon receiving the access request from the client device, the service provider in one embodiment determines whether the requested access to the premium content is restricted by a selected access policy.
- An access policy may be a set of rules governing access to the service provider's data, for example, premium content. There may be many different access policies for a service provider as well as a mechanism for selecting a given applicable access policy.
- the service provider may allow access by the client device. If the access policy does not allow unrestricted access, then the service provider may invoke the authentication module 200 to verify the source of the request.
- the security decision on whether to allow access or not may be based on contextual attributes.
- the policy may be set up so as to require a selected set of data to be obtained from the client device. For example, in one embodiment, the access policy may require that the client device be physically located with 50 feet of the service provider and that the client device has an electronic receipt indicating a recent purchase of at least $2 of merchandise from the establishment of the service provider. This example is illustrative only and other access policies based on many other contextual attributes are contemplated and all are within the scope of the present invention.
- the authentication module may challenge the client device to provide the contextual attributes required by the selected access policy.
- the attribute management module at block 408 obtains the required contextual attributes from the TPM and, in one embodiment, digitally signs the contextual attributes using one of the cryptographic keys stored in the TPM, such as the attestation identity key (AIK), for example, according to well-known TPM signing processes.
- AIK attestation identity key
- FIG. 5 is a flow diagram illustrating access control processing using contextual attributes according to an embodiment of the present invention.
- an access control scheme may typically be used with an authentication scheme to determine whether a user request is authorized.
- an authentication scheme may verify a request based on contextual attributes, the permissions associated with the request remains to be determined by the access control policy.
- the access control policy may not itself utilize contextual attributes but may instead challenge the authentication scheme to provide specific information to determine appropriate access to resources.
- contextual attributes may be utilized directly by an access control scheme to determine access to resources.
- a user may be operating a wireless communication enabled client device within the wireless range of a service provider's establishment and attribute management module 204 of the client device or a comparable module may securely obtain and store contextual attributes.
- an access request may be received from the client device at block 500 and authenticated in block 502 .
- the authentication scheme utilizes is the scheme described above while in an alternate embodiment, other authentication schemes may be utilized.
- the authenticated request may be received by resource manager 302 together with the contextual attributes associated with the request, and the contextual attributes may be examined.
- the contextual attributes may be associated with the user making the access request (subject of the request), the resource being accessed (the object of the request) and/or the requested transaction itself and may include various types of attributes (identification attributes, implicit attributes and/or explicit attributes).
- resource manager 302 may utilize the contextual attributes to query policy database 304 , to determine whether authorization is to be allowed. If policy database 304 determines in 508 that the incoming request matches an “allowed” policy statement, access to the protected resource is granted in 510 . Thus, for example, if the policy specifies that to be granted access to the Wall Street Journal Online for 30 minutes from the time of purchase, the subject must be physically at a particular location (an implicit attribute), with a valid e-receipt (provided explicitly by the user) that indicates a purchase amount less than $5, any user request matching these properties may be allows access to the premium content. If the contextual attributes are not valid according to the policy, access may be denied in block 512 .
- embodiments of the present invention describe methods for achieving authentication and/or enforcing access control policies without requiring the user to reveal user identity information.
- authentication and/or access control may be achieved using trusted contextual attributes firmly rooted in the TPM of the client device.
- TPM is used through this application, embodiments of the invention are not so limited. Instead, any type of root of trust mechanism may be utilized without departing from the spirit of embodiments of the invention. Since the concept of root of trust is well known to those of ordinary skill in the art, further description thereof is omitted herein in order not to unnecessarily obscure embodiments of the invention.
- the techniques described herein are not limited to any particular hardware or software configuration; they may find applicability in any computing or processing environment.
- the techniques may be implemented in hardware, software, or a combination of the two.
- the techniques may be implemented in programs executing on programmable machines such as mobile or stationary computers, personal digital assistants, set top boxes, cellular telephones and pagers, and other electronic devices, that each include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and one or more output devices.
- Program code is applied to the data entered using the input device to perform the functions described and to generate output information.
- the output information may be applied to one or more output devices.
- the invention can be practiced with various computer system configurations, including multiprocessor systems, minicomputers, mainframe computers, and the like.
- the invention can also be practiced in distributed computing environments where tasks may be performed by remote processing devices that are linked through a communications network.
- Each program may be implemented in a high level procedural or object oriented programming language to communicate with a processing system.
- programs may be implemented in assembly or machine language, if desired. In any case, the language may be compiled or interpreted.
- Program instructions may be used to cause a general-purpose or special-purpose processing system that is programmed with the instructions to perform the operations described herein.
- the operations may be performed by specific hardware components that contain hardwired logic for performing the operations, or by any combination of programmed computer components and custom hardware components.
- the methods described herein may be provided as a computer program product that may include a machine readable medium having stored thereon instructions that may be used to program a processing system or other electronic device to perform the methods.
- the term “machine readable medium” used herein shall include any medium that is capable of storing or encoding a sequence of instructions for execution by the machine and that cause the machine to perform any one of the methods described herein.
- the term “machine readable medium” shall accordingly include, but not be limited to, solid-state memories, optical and magnetic disks, and a carrier wave that encodes a data signal.
Abstract
A method, apparatus and system provide access control utilizing contextual attributes. An access control module may receive a client request for access to a protected resource. The access control module may examine the contextual attributes associated with the request and compare the attributes against a policy database. If the attributes are valid according to a policy in the policy database, access may be granted to the protected resource. Otherwise, access may be denied.
Description
- The present application is a continuation-in-part of co-pending patent application U.S. application Ser. No. 11/089,885 (Atty Docket Number 42390.P21001), entitled “Method for Enabling Authentication Without Requiring User Identity Information”, filed on Mar. 24, 2005, and assigned to the assignee of the present application.
- 1. Field
- The present invention relates generally to computer security and, more specifically, to enforcing access control policies based on contextual attributes rather than relying solely on user identity information.
- 2. Description
- Authentication is a fundamental building block in any system that enforces a security policy; it enables users to identify themselves to the system and provides a basis for access control. All authentication schemes follow the same basic approach: known identification information about a user is compared with information received from a source claiming to be that user. Authentication is successful if both pieces of information match. However, authentication failure will result if a match cannot be produced.
- The traditional approach to authentication implies that users must present identity information. However, there are situations in which verification of specific user identity information is neither practical nor appropriate. For example, a wireless Internet service provider (ISP) may care about a user's location (e.g., the user is physically seated in a WiFi-enabled restaurant) and not his or her specific user identity. Further, the traditional approach to authentication reveals user privacy information, which may not be necessary to get authenticated in some scenarios.
- Similarly, in traditional authorization or access control models, users and objects must typically be known a priori in order to define a policy. As a result, within a dynamic computing environment where users and resources may be constantly changing, these traditional schemes are highly limiting. For instance, in the example above where a user is physically seated in a Wi-Fi-enabled restaurant (i.e., a restaurant that has partnered with an ISP to provide wireless online services), the restaurant may wish to provide premium online services to a large number of users, without requiring advance registration. The restaurant may, however, want to construct varying levels of access for different types of users. Existing access control schemes may result in the restaurant and/or ISP incurring significant overhead to define and manage the authorization process.
- The present invention is illustrated by way of example and not limitation in the figures of the accompanying drawings in which like references indicate similar elements, and in which:
-
FIG. 1 is a diagram of example data flows between a client device and a service provider using contextual attributes according to an embodiment of the present invention; -
FIG. 2 is a diagram of an example authentication system using contextual attributes according to an embodiment of the present invention; -
FIG. 3 is a diagram of an example access control system using contextual attributes according to an embodiment of the present invention; -
FIG. 4 is a flow diagram illustrating authentication processing using contextual attributes; and -
FIG. 5 is a flow diagram illustrating access control using contextual attributes according to an embodiment of the present invention. - Reference in the specification to “one embodiment” or “an embodiment” of the present invention means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, the appearances of the phrase “in one embodiment” appearing in various places throughout the specification are not necessarily all referring to the same embodiment.
- According to embodiments of the present invention, contextual information may be utilized to perform authentication and determine authorization. For the purposes of this specification, “authentication” may include any process by which a user is verified (i.e., verifying that someone is who they claim they are), including the use of a username and a password, but may include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints. Additionally, for the purposes of this specification, “authorization” includes the process of determining if an individual, once identified, is permitted to have access to the resource. The process of authorization, also referred to as access control, is typically implemented by determining if the individual has been granted explicit rights to access a resource, if the individual is a part of a particular group that has rights to a resource. The terms “authorization” and “access control” may be used interchangeably in the present specification.
- Embodiments of the present invention take advantage of contextual information associated with users and their operating environment (e.g., resources and/or transactions requested). Given the abundance of information available to describe these users and their operating environment, there are certain scenarios in which contextual information may be more relevant than the user's unique identity for purposes of authentication and access control. Authentication and/or access control based solely on a user's contextual information according to embodiments of the present invention provides at least two benefits over existing usage models. First, user privacy is protected since embodiments of the present invention do not require the user to reveal personal identity information. Second, service providers benefit from reduced overhead due to simplified authentication and access control policy management.
- Embodiments of the present invention comprise schemes to achieve authentication and enforce access control without requiring specific identity information from the user. Instead of identifying the user, the context in which the user makes the request is determined. Context, as used herein, includes the physical environment at issue (e.g., ambient noise level, brightness, air temperature, atmospheric pressure, time, etc.), attributes relevant to a pending transaction that the user is involved in (e.g., an electronic receipt), and non-unique attributes about the user (e.g., the user's current location).
- In various embodiments, the contextual attributes may be associated with the user making the access request (subject of the request), the resource being accessed (the object of the request) and/or the requested transaction itself. Additionally, various types of contextual attributes may be utilized, including identification attributes, implicit attributes and/or explicit attributes and any reference herein to “contextual attributes” shall include at least these types of attributes. Thus, for example, identification attributes may refer to attributes that uniquely identify the subject or object (e.g., a username “Bob” or object reference “filename.txt”), implicit attributes may be non-unique attributes that may be assigned to the user or object (e.g., location, badge type) and explicit attributes may be unique transaction-specific attributes that may be collected or observed by the subject or object (e.g., tokens such as an e-receipt or a capability that is maintained by the user).
- Consider a scenario such as is shown in
FIG. 1 , in which apublic establishment 101 such as a coffee shop, for example, has partnered with a premium contentInternet service provider 102 to provide access (perhaps for free) to premium content to customers who have made a purchase and remain physically located in the coffee shop. In at least one embodiment, the establishment and the service provider are separate entities and are not co-located. In order to access the premium content via the wireless service, a customer (denoted “user” hereinafter) must provide proof that the user is physically located in the coffee shop and that the user has made a recent purchase. Initially, the user enters the coffee shop and uses some form of electronic cash stored in a mobile computing device operated by the user to purchase an item for sale, such as coffee for example. The mobile computing device may be anyclient device 104 used for computing or telecommunication, such as a portable computer, personal digital assistant (PDA), cellular telephone, or messaging device, for example. In the system 100 shown inFIG. 1 , theclient device 104 interacts withpublic establishment equipment 101 to engage in a transaction or communication. - In one example, the client device interacts with an electronic cash register operated by the establishment to make a purchase. In this example, the user makes the purchase by communicating data representing
electronic cash 106 from theclient device 104 to theestablishment 101. In return, the client device receives anelectronic receipt 108 from the establishment indicating proof of purchase. The electronic receipt comprises a set of data (purchase information) representing the transaction (e.g., one or more of date, time, purchase amount, items purchased and so on) that may be stored in the client device. The purchase information may comprise data regarding any purchase by the user and/or the client device of at least one of goods and services from the establishment. In another example, a purchase may not be required and the establishment may provide an electronic token instead of an electronic receipt to the client device. - While enjoying the purchase, the user may wish to take advantage of premium content available for download to wireless client devices operated by current customers of the establishment. However, the user may desire to obtain the premium content without divulging personal information to the service provider, such as identity. In this case, in one example of using contextual attributes, the client device may provide the current geographic location of the client device and the electronic receipt (collectively denoted 110 in
FIG. 1 ) to the service provider equipment. In one example, the combination of the current location within the premises of the establishment and the electronic receipt may comprise sufficient information to authenticate the user to the premium content service provider. In response, theservice provider 102 enables access topremium content 112 for the client device. In one embodiment, the premium content may be an audio stream or file (e.g., current hit songs), an audio-video stream or file (e.g., music videos, movie clips, television programs, etc.), selected web pages, or other valuable information. - In this embodiment, the geographic location of the client device and possession of an electronic receipt (or other token) are the contextual attributes required for the user's authentication to the premium content service provider. No other information, such as a user name and password, or other identity information, is required to authenticate the user and allow access to the premium content.
-
FIG. 2 is a diagram of an example authentication system using contextual attributes according to an embodiment of the present invention. On the server side, aservice provider 102 comprises at least a computer server system including anauthentication module 200 implemented in one or more of software, firmware, and hardware. The authentication module reviews policies determining access and usage of premium content available from the service provider and provides theclient device 104 with a challenge that must be met in order to achieve authentication. In response, the client device sends an answer to the challenge that may be authenticated by the authentication module of the service provider. If the answer is acceptable according to the policy, access to premium content may be granted. The service provider may communicate with the client device over anetwork 202. In one embodiment, the network is the Internet, and the communication between the service provider and the client device takes place wirelessly according to any one of several well-known wireless protocols. In other embodiments, other networks may be used.Service provider 102 includes other well-known components omitted fromFIG. 2 for clarity. - On the client side, an
attribute management module 204 interacts with theauthentication module 200 to provide necessary information to the service provider in order to be given access to the premium content or authenticated for other purposes. The attribute management module may be implemented in one or more of software, firmware, and hardware. In one embodiment, the attribute management module collects and manages trusted contextual attributes of the client device. The contextual attributes should be protected on the client device to deter unauthorized changes to the attributes in order to obtain benefits or access to content. Theattribute management module 204 communicates with a trusted platform module (TPM) 206 residing on the client device. The TPM provides a foundation for trust and contains at least one or more ofcryptographic keys 208, protectedsecrets 210, andsecure location data 212. - Secure location data may be obtained by
location unit 214. In one embodiment, the secure location data may comprise global positioning service (GPS) data and the GPS data may be obtained from a GPS receiver functioning as the location unit residing on the client device. In the embodiment wherein the location unit comprises a GPS receiver, the GPS receiver operates according to well-known methods to determine a geographic location. In other embodiments, other well known methods of determining location of the client device by the location unit may be used. - The TPM protects the data stored therein from attempts to gain unauthorized access according to well-known methods as described in relevant specifications of the Trusted Computing Group (TCG). The
attribute management module 204 collects contextual attributes (such as protectedsecrets 210, and current geographic location information (secure location data 212)), and may have the contextual attributes digitally signed by an attestation identity key (AIK), which may be one of thecryptographic keys 208 securely stored in the TPM.Client device 104 includes other well-known components omitted fromFIG. 2 for clarity. -
FIG. 3 is a diagram of an example access control system using contextual attributes according to an embodiment of the present invention. In one embodiment, this system may be implemented together with an authentication system as described above. Alternatively, however, an access control system according to an embodiment of the present invention may be implemented with other authentication schemes that do not utilize contextual attributes. While the latter access control system may lack some of the benefits provided by the authentication scheme that utilizes contextual attributes, it may nonetheless provide significant flexibility to a service provider by eliminating the need for users' personal information. - As illustrated,
FIG. 3 includes all components ofFIG. 2 and an access control component 300. As previously described, alternative embodiments may implement a different authentication scheme, but for the purposes of simplicity, the following example assumes the use of the authentication scheme described inFIG. 2 . Access control component 300 may comprise various sub-components, including aresource manager 302 and apolicy database 304. In one embodiment, upon authentication of the request as described above or according to alternate secure schemes, the request may be passed to access control component 300. The request may include the contextual attributes previously collected (byattribute management module 204 or a comparable module). In one embodiment of the present invention, access control component 300 may utilize the contextual attributes to enforce access control, i.e., to provide authorization to a request. - Thus, in one embodiment, upon receipt of the request,
resource manager 302 may examine the contextual attributes. As previously described, the contextual attributes may be associated with the user making the access request (subject of the request), the resource being accessed (the object of the request) and/or the requested transaction itself. In one embodiment of the invention, the client request may include a “tuple” comprising the object, subject and/or the requested transaction. -
Resource manager 302 may utilize the contextual attributes to querypolicy database 304, to determine whether authorization is to be allowed. Ifpolicy database 304 determines that the incoming request matches an “allowed” policy statement, access to protectedresource 306 is granted. Thus, for example, the following is an example of a policy statement according to an embodiment of the present invention for the coffee shop scenario described above. For the purposes of illustration, an XML-type representation is used to outline the individual components that comprise the example policy statement:<ABAC Policy> <Subject> <Ident> Not Required <Implicit> Location = Coffee Shop </Implicit> <Explicit> $0 < Purchase Amount < $5 Time of Access < Time of Purchase + 30 minutes </Explicit> </Subject> <Object> <Ident> Not Required <Implicit> Content = Wall Street Journal Online </Implicit> </Object> <Permission> ALLOW </Permission> </ABAC Policy> - In this example, the subject must be physically at the coffee shop (an implicit attribute), with a valid e-receipt (provided explicitly by the user) that indicates a purchase amount less than $5. Any user matching these properties will be granted access to the Wall Street Journal Online for 30 minutes from the time of purchase. If all of these conditions are met, access to the premium content (protected resource 306) will be allowed. It will be readily apparent to those of ordinary skill in the art that protected
resource 306 may reside in a variety of locations without impacting embodiments of the present invention. Thus, in one embodiment, protectedresource 306 may reside on a device atservice provider 102. More likely, however, is an embodiment in which protectedresource 306 resides at a remote location onNetwork 202. - Thus, embodiments of the present invention provide various advantages over current access control models. Most importantly, embodiments of the invention are uniquely suited to dynamic computing environments, as compared to existing access control models that typically utilize static concepts (user identities, object names, subject roles, etc.). Additionally, by utilizing contextual attributes, embodiments of the invention provide for less administrative overhead for defining and managing access policies. As illustrated in the example policy statement above, service providers may define intricate policies applicable to large groups of users because higher level policy may more easily be mapped into lower level system rules using contextual attributes. These policy statements enable the service providers significant flexibility because the providers are not limited to using pre-defined entities in policy specifications, therefore requiring less management overhead.
- Embodiments of the invention also enhance service providers' ability to protect user privacy by using contextual attributes instead of personal identity information. They additionally enable new business models by providing companies with increased flexibility to provide services and/or rewards. Thus, for example, as previously described in the background, in a WiFi-enabled restaurant that currently partners with an ISP to offer free wireless internet to paying customers, all customers typically get the same default level of service. According to embodiments of the present invention, however, the ISP would have the flexibility of easily defining rich, fine-grained access control policies that provide different levels of access based on contextual attributes. For example, different levels of services may be provided based on the purchase amounts, frequency of purchases or visits to the establishment, etc.
-
FIG. 4 is a flow diagram illustrating authentication processing using contextual attributes according to an embodiment of the present invention. A user may be operating a wireless communication enabled client device within the wireless range of a service provider's establishment. While there, theattribute management module 204 of the client device may securely obtain and store contextual attributes at block 300. The contextual attributes may comprise many different items of information about the current environment of the client device. For example, contextual information may include one or more of geographic location, air temperature at that geographic location, user purchase information, ambient noise level at the location, brightness of the environment at the location, current weather conditions other than temperature such as atmospheric pressure, velocity of movement of the client device, current processing load of the processing unit of the client device, available battery power of the client device, and current communications load between client devices and the service provider. - Other contextual attributes may also be used within the scope of embodiments of the present invention. The contextual attributes may comprise data not explicitly generated by the user. To obtain some contextual attributes, additional components or circuitry may be included in the client device (e.g., a location unit such as a GPS receiver, for example, for determining geographic location, a microphone for capturing ambient noise level, a camera for obtaining brightness, a thermometer for determining temperature, a barometer for determining pressure, and so on). The contextual attributes may be stored by the attribute management module in the TPM 206 to deter tampering with the data. The activity of obtaining and storing contextual attributes may be continuously performed by the client device regardless of its current operating mode, may be performed periodically according to a schedule, or may in some embodiments be performed at the explicit direction of the user.
- At
block 402, when the user operates the client device within or near an establishment within range of the service provider and is made aware of the potential availability of premium content through any means, the client device may request access to the premium content from the service provider. In one embodiment, this may involve sending a communications packet wirelessly from the client device to the service provider using well-known techniques. Alternatively, the client device may sense a signal offering service from the service provider once the client device is brought within range of the service provider's signal. Atblock 404, upon receiving the access request from the client device, the service provider in one embodiment determines whether the requested access to the premium content is restricted by a selected access policy. An access policy may be a set of rules governing access to the service provider's data, for example, premium content. There may be many different access policies for a service provider as well as a mechanism for selecting a given applicable access policy. - If the access policy allows unrestricted access, then the service provider may allow access by the client device. If the access policy does not allow unrestricted access, then the service provider may invoke the
authentication module 200 to verify the source of the request. In embodiments of the present invention, the security decision on whether to allow access or not may be based on contextual attributes. The policy may be set up so as to require a selected set of data to be obtained from the client device. For example, in one embodiment, the access policy may require that the client device be physically located with 50 feet of the service provider and that the client device has an electronic receipt indicating a recent purchase of at least $2 of merchandise from the establishment of the service provider. This example is illustrative only and other access policies based on many other contextual attributes are contemplated and all are within the scope of the present invention. - Hence, at
block 406 the authentication module may challenge the client device to provide the contextual attributes required by the selected access policy. For the client device's answer, the attribute management module atblock 408 obtains the required contextual attributes from the TPM and, in one embodiment, digitally signs the contextual attributes using one of the cryptographic keys stored in the TPM, such as the attestation identity key (AIK), for example, according to well-known TPM signing processes. - Next, the attribute management module at
block 410 sends a response containing the signed contextual attributes to the authentication module of the service provider. Upon receiving the client device's response, the authentication module atblock 412 verifies the signature on the response and then determines if the client device's supplied contextual attributes are valid according to the selected access policy (that is, if the attributes meet the requirements of the policy). If the attributes are valid and conform to the selected access policy, then authentication of the client device is successful and access to the premium content or other data may be enabled atblock 414. If the attributes are not valid according to the policy, access may be denied. Further details of an access control policy according to an embodiment of the present invention are described below, with respect toFIG. 5 . -
FIG. 5 is a flow diagram illustrating access control processing using contextual attributes according to an embodiment of the present invention. As described above, an access control scheme may typically be used with an authentication scheme to determine whether a user request is authorized. In other words, although an authentication scheme may verify a request based on contextual attributes, the permissions associated with the request remains to be determined by the access control policy. In the scheme described above, the access control policy may not itself utilize contextual attributes but may instead challenge the authentication scheme to provide specific information to determine appropriate access to resources. - According to embodiments of the present invention, however, contextual attributes may be utilized directly by an access control scheme to determine access to resources. For the purposes of illustration, the example scenario described above with respect to the authentication scheme continues to hold true, i.e., a user may be operating a wireless communication enabled client device within the wireless range of a service provider's establishment and
attribute management module 204 of the client device or a comparable module may securely obtain and store contextual attributes. Thus, an access request may be received from the client device atblock 500 and authenticated inblock 502. - According to one embodiment, the authentication scheme utilizes is the scheme described above while in an alternate embodiment, other authentication schemes may be utilized. In
block 504, in one embodiment of the invention, the authenticated request may be received byresource manager 302 together with the contextual attributes associated with the request, and the contextual attributes may be examined. As previously described, the contextual attributes may be associated with the user making the access request (subject of the request), the resource being accessed (the object of the request) and/or the requested transaction itself and may include various types of attributes (identification attributes, implicit attributes and/or explicit attributes). - In
block 506,resource manager 302 may utilize the contextual attributes to querypolicy database 304, to determine whether authorization is to be allowed. Ifpolicy database 304 determines in 508 that the incoming request matches an “allowed” policy statement, access to the protected resource is granted in 510. Thus, for example, if the policy specifies that to be granted access to the Wall Street Journal Online for 30 minutes from the time of purchase, the subject must be physically at a particular location (an implicit attribute), with a valid e-receipt (provided explicitly by the user) that indicates a purchase amount less than $5, any user request matching these properties may be allows access to the premium content. If the contextual attributes are not valid according to the policy, access may be denied inblock 512. - Thus, embodiments of the present invention describe methods for achieving authentication and/or enforcing access control policies without requiring the user to reveal user identity information. In this case, authentication and/or access control may be achieved using trusted contextual attributes firmly rooted in the TPM of the client device. Although the term TPM is used through this application, embodiments of the invention are not so limited. Instead, any type of root of trust mechanism may be utilized without departing from the spirit of embodiments of the invention. Since the concept of root of trust is well known to those of ordinary skill in the art, further description thereof is omitted herein in order not to unnecessarily obscure embodiments of the invention.
- Although the operations described herein may be described as a sequential process, some of the operations may in fact be performed in parallel or concurrently. In addition, in some embodiments the order of the operations may be rearranged without departing from the spirit of the invention.
- The techniques described herein are not limited to any particular hardware or software configuration; they may find applicability in any computing or processing environment. The techniques may be implemented in hardware, software, or a combination of the two. The techniques may be implemented in programs executing on programmable machines such as mobile or stationary computers, personal digital assistants, set top boxes, cellular telephones and pagers, and other electronic devices, that each include a processor, a storage medium readable by the processor (including volatile and non-volatile memory and/or storage elements), at least one input device, and one or more output devices. Program code is applied to the data entered using the input device to perform the functions described and to generate output information. The output information may be applied to one or more output devices. One of ordinary skill in the art may appreciate that the invention can be practiced with various computer system configurations, including multiprocessor systems, minicomputers, mainframe computers, and the like. The invention can also be practiced in distributed computing environments where tasks may be performed by remote processing devices that are linked through a communications network.
- Each program may be implemented in a high level procedural or object oriented programming language to communicate with a processing system. However, programs may be implemented in assembly or machine language, if desired. In any case, the language may be compiled or interpreted.
- Program instructions may be used to cause a general-purpose or special-purpose processing system that is programmed with the instructions to perform the operations described herein. Alternatively, the operations may be performed by specific hardware components that contain hardwired logic for performing the operations, or by any combination of programmed computer components and custom hardware components.
- The methods described herein may be provided as a computer program product that may include a machine readable medium having stored thereon instructions that may be used to program a processing system or other electronic device to perform the methods. The term “machine readable medium” used herein shall include any medium that is capable of storing or encoding a sequence of instructions for execution by the machine and that cause the machine to perform any one of the methods described herein. The term “machine readable medium” shall accordingly include, but not be limited to, solid-state memories, optical and magnetic disks, and a carrier wave that encodes a data signal. Furthermore, it is common in the art to speak of software, in one form or another (e.g., program, procedure, process, application, module, logic, and so on) as taking an action or causing a result. Such expressions are merely a shorthand way of stating the execution of the software by a processing system cause the processor to perform an action of produce a result.
- While this invention has been described with reference to illustrative embodiments, this description is not intended to be construed in a limiting sense. Various modifications of the illustrative embodiments, as well as other embodiments of the invention, which are apparent to persons skilled in the art to which the invention pertains are deemed to lie within the spirit and scope of the invention.
Claims (23)
1. A method comprising:
receiving a request for access to a protected resource;
receiving contextual attributes associated with the request;
comparing the contextual attributes against a policy database; and
granting access if the contextual attributes are valid according to a policy in the policy database.
2. The method according to claim 1 further comprising authenticating the request for access prior to comparing the contextual attributes against a policy database.
3. The method according to claim 2 wherein authenticating the request comprises authenticating the contextual attributes associated with the request.
4. The method according to claim 1 wherein the contextual attributes comprise at least one of information about a subject of the request, information about the protected resource and information about a type of transaction pertaining to the request.
5. The method according to claim 1 wherein the contextual attributes comprise a type and the type includes at least one of an identification attribute, an implicit attribute and an explicit attribute.
6. The method according to claim 1 wherein the policy in the policy database includes a at least one policy statement defined by at least one contextual attribute.
7. The method according to claim 1 wherein the contextual attributes include at least one of ambient noise level, brightness, air temperature, atmospheric pressure, time, an electronic receipt and a location.
8. An article comprising a machine-accessible medium having stored thereon instructions that, when executed by a machine, cause the machine to:
receive a request for access to a protected resource;
receive contextual attributes associated with the request;
compare the contextual attributes against a policy database; and
grant access if the contextual attributes are valid according to a policy in the policy database.
9. The article according to claim 8 wherein the instructions, when executed by the machine, further cause the machine to authenticate the request for access prior to comparing the contextual attributes against a policy database.
10. The article according to claim 9 wherein the instructions, when executed by the machine, further cause the machine to authenticate the request by authenticating the contextual attributes associated with the request.
11. The article according to claim 8 wherein the contextual attributes comprise at least one of information about a subject of the request, information about the protected resource and information about a type of transaction pertaining to the request.
12. The article according to claim 8 wherein the contextual attributes comprise a type and the type includes at least one of an identification attribute, an implicit attribute and an explicit attribute.
13. The article according to claim 8 wherein the policy in the policy database includes at least one policy statement defined by at least one contextual attribute.
14. A method comprising:
requesting access to a protected resource;
collecting contextual attributes associated with the request, the contextual attributes comprising at least one of information about a subject of the request, information about the protected resource and information about a type of transaction pertaining to the request, the contextual attributes further comprising a type and the type including at least one of an identification attribute, an implicit attribute and an explicit attribute;
transmitting the contextual attributes with the request.
15. The method according to claim 14 wherein collecting contextual attributes further comprises retrieving the contextual information from a trusted platform.
16. The method according to claim 14 further comprising receiving authorization to access the protected resource if the contextual attributes transmitted with the request match a policy in a policy database.
17. An article comprising a machine-accessible medium having stored thereon instructions that, when executed by a machine, cause the machine to:
request access to a protected resource;
collect contextual attributes associated with the request, the contextual attributes comprising at least one of information about a subject of the request, information about the protected resource and information about a type of transaction pertaining to the request, the contextual attributes further comprising a type and the type including at least one of an identification attribute, an implicit attribute and an explicit attribute;
transmit the contextual attributes with the request.
18. The article according to claim 17 wherein the instructions, when executed by the machine, further cause the machine to collect contextual attributes by retrieving the contextual information from a trusted platform.
19. The article according to claim 17 wherein the instructions, when executed by the machine, further cause the machine to receive authorization to access the protected resource if the contextual attributes transmitted with the request match a policy in a policy database.
20. An access control system comprising:
a client device capable of transmitting a request to a service provider requesting access to a protected resources, the client device further capable of transmitting contextual information with the access request; and
a resource manager of the service provider capable of receiving the request from the client device for access to the protected resources, the resource manager capable of comparing the received contextual attributes against a policy database and granting access to the protected resource if the contextual attributes are valid according to a policy in the policy database.
21. The access control system of claim 20 wherein the contextual information comprises at least one of information about a subject of the request, information about the protected resource and information about a type of transaction pertaining to the request.
22. The access control system of claim 21 wherein the contextual attributes comprise a type and the type includes at least one of an identification attribute, an implicit attribute and an explicit attribute.
23. The access control system of claim 20 , wherein the client device further includes a trusted platform capable of storing the contextual attributes.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/317,879 US20060236369A1 (en) | 2005-03-24 | 2005-12-21 | Method, apparatus and system for enforcing access control policies using contextual attributes |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US11/089,885 US20060218621A1 (en) | 2005-03-24 | 2005-03-24 | Method for enabling authentication without requiring user identity information |
US11/317,879 US20060236369A1 (en) | 2005-03-24 | 2005-12-21 | Method, apparatus and system for enforcing access control policies using contextual attributes |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/089,885 Continuation-In-Part US20060218621A1 (en) | 2005-03-24 | 2005-03-24 | Method for enabling authentication without requiring user identity information |
Publications (1)
Publication Number | Publication Date |
---|---|
US20060236369A1 true US20060236369A1 (en) | 2006-10-19 |
Family
ID=46323441
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/317,879 Abandoned US20060236369A1 (en) | 2005-03-24 | 2005-12-21 | Method, apparatus and system for enforcing access control policies using contextual attributes |
Country Status (1)
Country | Link |
---|---|
US (1) | US20060236369A1 (en) |
Cited By (38)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040068483A1 (en) * | 2001-02-07 | 2004-04-08 | Mikiko Sakurai | Information processor for setting time limit on check out of content |
US20070271592A1 (en) * | 2006-05-17 | 2007-11-22 | Fujitsu Limited | Method, apparatus, and computer program for managing access to documents |
US20080107274A1 (en) * | 2006-06-21 | 2008-05-08 | Rf Code, Inc. | Location-based security, privacy, assess control and monitoring system |
US20080178264A1 (en) * | 2007-01-20 | 2008-07-24 | Susann Marie Keohane | Radius security origin check |
US20080182592A1 (en) * | 2007-01-26 | 2008-07-31 | Interdigital Technology Corporation | Method and apparatus for securing location information and access control using the location information |
US20090031394A1 (en) * | 2007-07-24 | 2009-01-29 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and systems for inter-resource management service type descriptions |
US20090037269A1 (en) * | 2007-08-03 | 2009-02-05 | Bassemir Richard T | Integration of Cash Registers and WiFi Support for Customers |
US20090158425A1 (en) * | 2007-12-18 | 2009-06-18 | Oracle International Corporation | User definable policy for graduated authentication based on the partial orderings of principals |
US20090192942A1 (en) * | 2008-01-25 | 2009-07-30 | Microsoft Corporation | Pre-performing operations for accessing protected content |
US20100080202A1 (en) * | 2006-09-21 | 2010-04-01 | Mark Hanson | Wireless device registration, such as automatic registration of a wi-fi enabled device |
US20100169947A1 (en) * | 2008-12-31 | 2010-07-01 | Sybase, Inc. | System and method for mobile user authentication |
US20100299717A1 (en) * | 2009-05-22 | 2010-11-25 | National University Of Ireland, Galway | System for Annotation-Based Access Control |
US20110247046A1 (en) * | 2010-03-31 | 2011-10-06 | Gross Thomas R | Access control in data processing systems |
WO2012087853A2 (en) | 2010-12-20 | 2012-06-28 | Microsoft Corporation | Tamper proof location services |
US20120233685A1 (en) * | 2011-03-09 | 2012-09-13 | Qualcomm Incorporated | Method for authentication of a remote station using a secure element |
US20130283340A1 (en) * | 2012-04-24 | 2013-10-24 | Oracle International Corporation | Optimized policy matching and evaluation for non-hierarchical resources |
US8769705B2 (en) | 2011-06-10 | 2014-07-01 | Futurewei Technologies, Inc. | Method for flexible data protection with dynamically authorized data receivers in a content network or in cloud storage and content delivery services |
US20140201813A1 (en) * | 2011-04-27 | 2014-07-17 | International Business Machines Corporation | Enhancing directory service authentication and authorization using contextual information |
US20140282831A1 (en) * | 2013-03-15 | 2014-09-18 | International Business Machines Corporation | Dynamic policy-based entitlements from external data repositories |
US20140310528A1 (en) * | 2006-05-05 | 2014-10-16 | Interdigital Technology Corporation | Digital rights management using trusted processing techniques |
US9112905B2 (en) | 2010-10-22 | 2015-08-18 | Qualcomm Incorporated | Authentication of access terminal identities in roaming networks |
US20150244699A1 (en) * | 2014-02-21 | 2015-08-27 | Liveensure, Inc. | Method for peer to peer mobile context authentication |
US9152803B2 (en) | 2012-04-24 | 2015-10-06 | Oracle International Incorporated | Optimized policy matching and evaluation for hierarchical resources |
US20160012216A1 (en) * | 2014-04-10 | 2016-01-14 | Sequitur Labs Inc. | System for policy-managed secure authentication and secure authorization |
CN105408884A (en) * | 2013-07-26 | 2016-03-16 | 惠普发展公司,有限责任合伙企业 | Data view based on context |
US9426182B1 (en) * | 2013-01-07 | 2016-08-23 | Workspot, Inc. | Context-based authentication of mobile devices |
US9477825B1 (en) * | 2015-07-10 | 2016-10-25 | Trusted Mobile, Llc | System for transparent authentication across installed applications |
US9578498B2 (en) | 2010-03-16 | 2017-02-21 | Qualcomm Incorporated | Facilitating authentication of access terminal identity |
WO2018069773A1 (en) * | 2016-10-14 | 2018-04-19 | Assa Abloy Ab | Transaction authentication based on contextual data presentation |
US20180137295A1 (en) * | 2016-11-14 | 2018-05-17 | Paymentus Corporation | Method and apparatus for multi-channel secure communication and data transfer |
US20190319843A1 (en) * | 2018-04-13 | 2019-10-17 | Microsoft Technology Licensing, Llc | Trusted Platform Module-Based Prepaid Access Token for Commercial IoT Online Services |
US10462185B2 (en) | 2014-09-05 | 2019-10-29 | Sequitur Labs, Inc. | Policy-managed secure code execution and messaging for computing devices and computing device security |
US10685130B2 (en) | 2015-04-21 | 2020-06-16 | Sequitur Labs Inc. | System and methods for context-aware and situation-aware secure, policy-based access control for computing devices |
US10700865B1 (en) | 2016-10-21 | 2020-06-30 | Sequitur Labs Inc. | System and method for granting secure access to computing services hidden in trusted computing environments to an unsecure requestor |
US10990689B1 (en) * | 2016-03-31 | 2021-04-27 | EMC IP Holding Company LLC | Data governance through policies and attributes |
US11270288B2 (en) * | 2017-12-19 | 2022-03-08 | International Business Machines Corporation | System and method for automatic device connection following a contactless payment transaction |
US11425168B2 (en) | 2015-05-14 | 2022-08-23 | Sequitur Labs, Inc. | System and methods for facilitating secure computing device control and operation |
US11847237B1 (en) | 2015-04-28 | 2023-12-19 | Sequitur Labs, Inc. | Secure data protection and encryption techniques for computing devices and information storage |
Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6000030A (en) * | 1996-06-20 | 1999-12-07 | Emc Corporation | Software fingerprinting and branding |
US6076078A (en) * | 1996-02-14 | 2000-06-13 | Carnegie Mellon University | Anonymous certified delivery |
US20020029199A1 (en) * | 2000-03-14 | 2002-03-07 | Sony Corporation | Information providing apparatus and method, information processing apparatus and method, and program storage medium |
US20020108062A1 (en) * | 2000-05-15 | 2002-08-08 | Takayuki Nakajima | Authentication system and method |
US20030177207A1 (en) * | 2002-02-21 | 2003-09-18 | Seiko Epson Corporation | Terminal connection service system, communication terminal, local server, method of terminal connection service, method of connecting communication terminal, and computer programs for the same |
US20030221112A1 (en) * | 2001-12-12 | 2003-11-27 | Ellis Richard Donald | Method and system for granting access to system and content |
US6763468B2 (en) * | 1999-05-11 | 2004-07-13 | Sun Microsystems, Inc. | Method and apparatus for authenticating users |
US20040162981A1 (en) * | 2003-02-19 | 2004-08-19 | Wong Joseph D. | Apparatus and method for proving authenticity with personal characteristics |
US20040181602A1 (en) * | 2003-03-11 | 2004-09-16 | Fink Ian M. | Method and system for providing network access and services using access codes |
US20050124319A1 (en) * | 2003-12-05 | 2005-06-09 | Motion Picture Association Of America | Digital rights management using a triangulating geographic locating device |
US20050278775A1 (en) * | 2004-06-09 | 2005-12-15 | Ross Alan D | Multifactor device authentication |
US7512973B1 (en) * | 2004-09-08 | 2009-03-31 | Sprint Spectrum L.P. | Wireless-access-provider intermediation to facilliate digital rights management for third party hosted content |
-
2005
- 2005-12-21 US US11/317,879 patent/US20060236369A1/en not_active Abandoned
Patent Citations (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6076078A (en) * | 1996-02-14 | 2000-06-13 | Carnegie Mellon University | Anonymous certified delivery |
US6000030A (en) * | 1996-06-20 | 1999-12-07 | Emc Corporation | Software fingerprinting and branding |
US6763468B2 (en) * | 1999-05-11 | 2004-07-13 | Sun Microsystems, Inc. | Method and apparatus for authenticating users |
US20020029199A1 (en) * | 2000-03-14 | 2002-03-07 | Sony Corporation | Information providing apparatus and method, information processing apparatus and method, and program storage medium |
US20020108062A1 (en) * | 2000-05-15 | 2002-08-08 | Takayuki Nakajima | Authentication system and method |
US20030221112A1 (en) * | 2001-12-12 | 2003-11-27 | Ellis Richard Donald | Method and system for granting access to system and content |
US20030177207A1 (en) * | 2002-02-21 | 2003-09-18 | Seiko Epson Corporation | Terminal connection service system, communication terminal, local server, method of terminal connection service, method of connecting communication terminal, and computer programs for the same |
US20040162981A1 (en) * | 2003-02-19 | 2004-08-19 | Wong Joseph D. | Apparatus and method for proving authenticity with personal characteristics |
US20040181602A1 (en) * | 2003-03-11 | 2004-09-16 | Fink Ian M. | Method and system for providing network access and services using access codes |
US20050124319A1 (en) * | 2003-12-05 | 2005-06-09 | Motion Picture Association Of America | Digital rights management using a triangulating geographic locating device |
US20050278775A1 (en) * | 2004-06-09 | 2005-12-15 | Ross Alan D | Multifactor device authentication |
US7512973B1 (en) * | 2004-09-08 | 2009-03-31 | Sprint Spectrum L.P. | Wireless-access-provider intermediation to facilliate digital rights management for third party hosted content |
Cited By (79)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20040068483A1 (en) * | 2001-02-07 | 2004-04-08 | Mikiko Sakurai | Information processor for setting time limit on check out of content |
US20140310528A1 (en) * | 2006-05-05 | 2014-10-16 | Interdigital Technology Corporation | Digital rights management using trusted processing techniques |
US9489498B2 (en) * | 2006-05-05 | 2016-11-08 | Interdigital Technology Corporation | Digital rights management using trusted processing techniques |
US20070271592A1 (en) * | 2006-05-17 | 2007-11-22 | Fujitsu Limited | Method, apparatus, and computer program for managing access to documents |
US7966644B2 (en) * | 2006-05-17 | 2011-06-21 | Fujitsu Limited | Method, apparatus, and computer program for managing access to documents |
US20080107274A1 (en) * | 2006-06-21 | 2008-05-08 | Rf Code, Inc. | Location-based security, privacy, assess control and monitoring system |
US8577042B2 (en) * | 2006-06-21 | 2013-11-05 | Rf Code, Inc. | Location-based security, privacy, access control and monitoring system |
US9307488B2 (en) | 2006-09-21 | 2016-04-05 | T-Mobile Usa, Inc. | Wireless device registration, such as automatic registration of a Wi-Fi enabled device |
US8503358B2 (en) * | 2006-09-21 | 2013-08-06 | T-Mobile Usa, Inc. | Wireless device registration, such as automatic registration of a Wi-Fi enabled device |
US20100080202A1 (en) * | 2006-09-21 | 2010-04-01 | Mark Hanson | Wireless device registration, such as automatic registration of a wi-fi enabled device |
US8964715B2 (en) | 2006-09-21 | 2015-02-24 | T-Mobile Usa, Inc. | Wireless device registration, such as automatic registration of a Wi-Fi enabled device |
US9585088B2 (en) | 2006-09-21 | 2017-02-28 | T-Mobile Usa, Inc. | Wireless device registration, such as automatic registration of a Wi-Fi enabled device |
US7886339B2 (en) * | 2007-01-20 | 2011-02-08 | International Business Machines Corporation | Radius security origin check |
US20080178264A1 (en) * | 2007-01-20 | 2008-07-24 | Susann Marie Keohane | Radius security origin check |
TWI463849B (en) * | 2007-01-26 | 2014-12-01 | Interdigital Tech Corp | Method and apparatus for securing location information and access control using the location information |
US20080182592A1 (en) * | 2007-01-26 | 2008-07-31 | Interdigital Technology Corporation | Method and apparatus for securing location information and access control using the location information |
US8630620B2 (en) * | 2007-01-26 | 2014-01-14 | Interdigital Technology Corporation | Method and apparatus for securing location information and access control using the location information |
US20090031394A1 (en) * | 2007-07-24 | 2009-01-29 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods and systems for inter-resource management service type descriptions |
US20090037269A1 (en) * | 2007-08-03 | 2009-02-05 | Bassemir Richard T | Integration of Cash Registers and WiFi Support for Customers |
US8650616B2 (en) * | 2007-12-18 | 2014-02-11 | Oracle International Corporation | User definable policy for graduated authentication based on the partial orderings of principals |
US20090158425A1 (en) * | 2007-12-18 | 2009-06-18 | Oracle International Corporation | User definable policy for graduated authentication based on the partial orderings of principals |
US20090192942A1 (en) * | 2008-01-25 | 2009-07-30 | Microsoft Corporation | Pre-performing operations for accessing protected content |
US7882035B2 (en) | 2008-01-25 | 2011-02-01 | Microsoft Corporation | Pre-performing operations for accessing protected content |
US9100222B2 (en) * | 2008-12-31 | 2015-08-04 | Sybase, Inc. | System and method for mobile user authentication |
US20100169947A1 (en) * | 2008-12-31 | 2010-07-01 | Sybase, Inc. | System and method for mobile user authentication |
US20100299717A1 (en) * | 2009-05-22 | 2010-11-25 | National University Of Ireland, Galway | System for Annotation-Based Access Control |
US9578498B2 (en) | 2010-03-16 | 2017-02-21 | Qualcomm Incorporated | Facilitating authentication of access terminal identity |
US8566906B2 (en) * | 2010-03-31 | 2013-10-22 | International Business Machines Corporation | Access control in data processing systems |
US9882905B2 (en) | 2010-03-31 | 2018-01-30 | International Business Machines Corporation | Access control in data processing system |
US10154038B2 (en) | 2010-03-31 | 2018-12-11 | International Business Machines Corporation | Access control in data processing systems |
US20110247046A1 (en) * | 2010-03-31 | 2011-10-06 | Gross Thomas R | Access control in data processing systems |
US8875224B2 (en) | 2010-03-31 | 2014-10-28 | International Business Machines Corporation | Access control in data processing system |
US9112905B2 (en) | 2010-10-22 | 2015-08-18 | Qualcomm Incorporated | Authentication of access terminal identities in roaming networks |
WO2012087853A3 (en) * | 2010-12-20 | 2012-11-01 | Microsoft Corporation | Tamper proof location services |
EP2656270A2 (en) * | 2010-12-20 | 2013-10-30 | Microsoft Corporation | Tamper proof location services |
EP2656270A4 (en) * | 2010-12-20 | 2014-08-06 | Microsoft Corp | Tamper proof location services |
WO2012087853A2 (en) | 2010-12-20 | 2012-06-28 | Microsoft Corporation | Tamper proof location services |
US8560839B2 (en) | 2010-12-20 | 2013-10-15 | Microsoft Corporation | Tamper proof location services |
US20120233685A1 (en) * | 2011-03-09 | 2012-09-13 | Qualcomm Incorporated | Method for authentication of a remote station using a secure element |
US9668128B2 (en) * | 2011-03-09 | 2017-05-30 | Qualcomm Incorporated | Method for authentication of a remote station using a secure element |
US9094398B2 (en) * | 2011-04-27 | 2015-07-28 | International Business Machines Corporation | Enhancing directory service authentication and authorization using contextual information |
US9100398B2 (en) * | 2011-04-27 | 2015-08-04 | International Business Machines Corporation | Enhancing directory service authentication and authorization using contextual information |
US20140201814A1 (en) * | 2011-04-27 | 2014-07-17 | International Business Machines Corporation | Enhancing directory service authentication and authorization using contextual information |
US20140201813A1 (en) * | 2011-04-27 | 2014-07-17 | International Business Machines Corporation | Enhancing directory service authentication and authorization using contextual information |
US8769705B2 (en) | 2011-06-10 | 2014-07-01 | Futurewei Technologies, Inc. | Method for flexible data protection with dynamically authorized data receivers in a content network or in cloud storage and content delivery services |
US20170134431A1 (en) * | 2012-04-24 | 2017-05-11 | Oracle International Corporation | Optimized policy matching and evaluation for non-hierarchical resources |
US10419487B2 (en) * | 2012-04-24 | 2019-09-17 | Oracle International Corporation | Optimized policy matching and evaluation for non-hierarchical resources |
US9152803B2 (en) | 2012-04-24 | 2015-10-06 | Oracle International Incorporated | Optimized policy matching and evaluation for hierarchical resources |
US9547764B2 (en) * | 2012-04-24 | 2017-01-17 | Oracle International Corporation | Optimized policy matching and evaluation for non-hierarchical resources |
US20130283340A1 (en) * | 2012-04-24 | 2013-10-24 | Oracle International Corporation | Optimized policy matching and evaluation for non-hierarchical resources |
US9426182B1 (en) * | 2013-01-07 | 2016-08-23 | Workspot, Inc. | Context-based authentication of mobile devices |
US20140282831A1 (en) * | 2013-03-15 | 2014-09-18 | International Business Machines Corporation | Dynamic policy-based entitlements from external data repositories |
US9231974B2 (en) * | 2013-03-15 | 2016-01-05 | International Business Machines Corporation | Dynamic policy-based entitlements from external data repositories |
US10027632B2 (en) | 2013-07-26 | 2018-07-17 | Hewlett Packard Enterprise Development Lp | Data view based on context |
EP3025247A4 (en) * | 2013-07-26 | 2016-12-28 | Hewlett Packard Entpr Dev Lp | Data view based on context |
CN105408884A (en) * | 2013-07-26 | 2016-03-16 | 惠普发展公司,有限责任合伙企业 | Data view based on context |
US20150244699A1 (en) * | 2014-02-21 | 2015-08-27 | Liveensure, Inc. | Method for peer to peer mobile context authentication |
US9754097B2 (en) * | 2014-02-21 | 2017-09-05 | Liveensure, Inc. | Method for peer to peer mobile context authentication |
US9990489B2 (en) | 2014-02-21 | 2018-06-05 | Liveensure, Inc. | System and method for peer to peer mobile contextual authentication |
US20160012216A1 (en) * | 2014-04-10 | 2016-01-14 | Sequitur Labs Inc. | System for policy-managed secure authentication and secure authorization |
US10462185B2 (en) | 2014-09-05 | 2019-10-29 | Sequitur Labs, Inc. | Policy-managed secure code execution and messaging for computing devices and computing device security |
US10685130B2 (en) | 2015-04-21 | 2020-06-16 | Sequitur Labs Inc. | System and methods for context-aware and situation-aware secure, policy-based access control for computing devices |
US11847237B1 (en) | 2015-04-28 | 2023-12-19 | Sequitur Labs, Inc. | Secure data protection and encryption techniques for computing devices and information storage |
US11425168B2 (en) | 2015-05-14 | 2022-08-23 | Sequitur Labs, Inc. | System and methods for facilitating secure computing device control and operation |
US9477825B1 (en) * | 2015-07-10 | 2016-10-25 | Trusted Mobile, Llc | System for transparent authentication across installed applications |
US9992023B2 (en) | 2015-07-10 | 2018-06-05 | Trusted Mobile, Llc | System for transparent authentication across installed applications |
US10990689B1 (en) * | 2016-03-31 | 2021-04-27 | EMC IP Holding Company LLC | Data governance through policies and attributes |
US10560273B2 (en) | 2016-10-14 | 2020-02-11 | Assa Abloy Ab | Transaction authentication based on contextual data presentation |
US11139986B2 (en) | 2016-10-14 | 2021-10-05 | Assa Abloy Ab | Transaction authentication based on contextual data presentation |
WO2018069773A1 (en) * | 2016-10-14 | 2018-04-19 | Assa Abloy Ab | Transaction authentication based on contextual data presentation |
US10700865B1 (en) | 2016-10-21 | 2020-06-30 | Sequitur Labs Inc. | System and method for granting secure access to computing services hidden in trusted computing environments to an unsecure requestor |
US10762221B2 (en) * | 2016-11-14 | 2020-09-01 | Paymentus Corporation | Method and apparatus for multi-channel secure communication and data transfer |
US11321474B2 (en) | 2016-11-14 | 2022-05-03 | Paymentus Corporation | Method and apparatus for multi-channel secure communication and data transfer |
US20180137295A1 (en) * | 2016-11-14 | 2018-05-17 | Paymentus Corporation | Method and apparatus for multi-channel secure communication and data transfer |
US11727128B2 (en) | 2016-11-14 | 2023-08-15 | Paymentus Corporation | Method and apparatus for multi-channel secure communication and data transfer |
US11270288B2 (en) * | 2017-12-19 | 2022-03-08 | International Business Machines Corporation | System and method for automatic device connection following a contactless payment transaction |
US11288658B2 (en) * | 2017-12-19 | 2022-03-29 | International Business Machines Corporation | System and method for automatic device connection following a contactless payment transaction |
US20190319843A1 (en) * | 2018-04-13 | 2019-10-17 | Microsoft Technology Licensing, Llc | Trusted Platform Module-Based Prepaid Access Token for Commercial IoT Online Services |
US11316693B2 (en) * | 2018-04-13 | 2022-04-26 | Microsoft Technology Licensing, Llc | Trusted platform module-based prepaid access token for commercial IoT online services |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20060236369A1 (en) | Method, apparatus and system for enforcing access control policies using contextual attributes | |
US11700257B2 (en) | System and method for storing and distributing consumer information | |
US20230239284A1 (en) | Federated identity management with decentralized computing platforms | |
US20060218621A1 (en) | Method for enabling authentication without requiring user identity information | |
US9397838B1 (en) | Credential management | |
US10491593B2 (en) | Multi-dimensional framework for defining criteria that indicate when authentication should be revoked | |
JP6054457B2 (en) | Private analysis with controlled disclosure | |
Joshi et al. | Unified authentication and access control for future mobile communication-based lightweight IoT systems using blockchain | |
US9043891B2 (en) | Preserving privacy with digital identities | |
US20110276563A1 (en) | Systems, methods, and computer readable media for security in profile utilizing systems | |
US20220224535A1 (en) | Dynamic authorization and access management | |
US20210234705A1 (en) | Improved system and method for internet access age-verification | |
CN110210249A (en) | The system and method for track query function of hideing are realized based on data obfuscation | |
US11824850B2 (en) | Systems and methods for securing login access | |
Guo et al. | Using blockchain to control access to cloud data | |
CA3050487A1 (en) | System and method for storing and distributing consumer information | |
Liu et al. | An integrated scheme based on service classification in pervasive mobile services | |
KR20140011795A (en) | Method of subscription, authentication and payment without resident registration number | |
Wang et al. | Not yet another digital ID: privacy-preserving humanitarian aid distribution | |
CN105743883B (en) | A kind of the identity attribute acquisition methods and device of network application | |
Marx et al. | Increasing security and privacy in user-centric identity management: The idm card approach | |
Put et al. | Attribute-based privacy-friendly access control with context | |
Guo et al. | Search engine based proper privacy protection scheme | |
KR101594315B1 (en) | Service providing method and server using third party's authentication | |
Put et al. | PACCo: Privacy-friendly Access Control with Context. |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: INTEL CORPORATION, CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:COVINGTON, MICHAEL J.;SASTRY, MANOJ R.;REEL/FRAME:023723/0161 Effective date: 20060615 |
|
STCB | Information on status: application discontinuation |
Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION |